What is most valuable?
We’re a Linux shop and Qualys gave us good Linux vulnerability scanning; no experience with it on MSFT products. It reports only a few glaring false-positive errors (directory ownership was a common one), and our post-processing dealt with the known exceptions we’d agreed on. The long baseline of iterative results was valuable to track changes and our rate of improvement. Access to the API let us automate its use in our CI/CD pipeline for machine images.
How has it helped my organization?
The biggest benefit was integrating Qualys scanning into our CI/CD pipeline to vulnerability-scan new custom machine images (for OpenStack or AWS) before deployment. We’d build the image, instantiate it, run Qualys against it, get the report, post-process it, look for new errors or changes (if any), review just those and either block deployment or update our exceptions list for next time.
What needs improvement?
The licensing and user permissions are a little wonky for a DevOps team to use, probably because it’s traditionally an InfoSec tool.
For how long have I used the solution?
Symantec has run Qualys Enterprise against our private OpenStack cloud for at least three years; we started using the Qualys VA on AWS in 06/17.
What do I think about the stability of the solution?
Only those which Qualys scanning revealed in our OpenStack implementation.
What do I think about the scalability of the solution?
Not really, we spun up multiple Qualys servers to walk through our data center cloud infrastructure on a regular basis.
How are customer service and technical support?
Pretty poor, as usual for almost all software products now. Getting past the Tier 1 and 2 call center people is always a challenge, so throwing the company name around isn’t a bad idea.
Which solution did I use previously and why did I switch?
Don’t know what, if anything, preceded Qualys at Symantec.
How was the initial setup?
It took about a month to get the Qualys scan completely integrated and automated in our CI/CD pipeline, but much of that was due to licensing issues and poor API documentation, not the product installation itself.
What's my experience with pricing, setup cost, and licensing?
The “bring your own licenses” model for the virtual appliance isn’t what you might think, so get a clear explanation up front before assuming you can go use virtual appliances on AWS.
Which other solutions did I evaluate?
Yes, the Symantec Global Security Office (GSO) did this, and I don’t know who else they looked at when the selection was made.
What other advice do I have?
My team was responsible for operating the Symantec development hybrid cloud (about 6K servers in four DCs and multiple AWS regions). We use Qualys Enterprise to scan our private cloud infrastructure and machine images, and the Qualys Virtual Appliance to do custom AMI validation before deployment in AWS. I don’t recall which versions we used but we kept them up to date.
I give them a seven out of 10. The product is pretty good, but not great. It simply isn’t feasible for a tool like this to be accurate (no false negatives, few false positives), so you wind up doing a fair amount of post-processing of scan results. The profile update cycles are not what I’d like to see, so the vendor isn’t reacting to new threats anywhere near fast enough.
Also, look at other vendors, of course. Tenable was getting a lot of good buzz at Symantec last year. Be clear in advance on how much “overhead” you’re willing to pay in order to run “regular” scans on your DC machines and networks. In the cloud space, it’s somewhat better to verify the base image once, and focus on application vulnerabilities, where possible.